Promoting Application Security Within Federal Government
No ratings
Presented at OWASP Appsec 2009 by
Currently, federal government organizations are not particularly focused on application layer security. The major reason behind this is that federal organizations are driven primarily by compliance related pressures. While FISMA presents a comprehensive approach to managing risk from information security, the actual security controls defined within the NIST FISMA guidelines stress traditional network and platform security far more than application security. During this presentation, we will present the NIST Special Pub 800-53 security controls (a subset of those controls required to support FISMA compliance) that directly or indirectly imply the need to implement and assess application security. We will also present the components of the NIST Security Content Automation Program (S-CAP) that support application security. Finally, we will identify the gaps that remain in the drivers for federal government implementation of effective application security programs and provide recommendations on how to close the gap.